externalize all js, to lock down CSP

This moves what little js we have into an external file. That way, we can lock down the content security policy preetty strictly:

default-src 'none'; script-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self'